UHS
Information Security Analyst - Application Security (Penetration Tester)
UHS, Paoli, Pennsylvania, United States, 19301
One of the nations largest and most respected providers of hospital and healthcare services, Universal Health Services, Inc. (NYSE: UHS) has built an impressive record of achievement and performance. Growing steadily since its inception into an esteemed Fortune 300 corporation, annual revenues were $15.8 billion in 2024. During the year, UHS was again recognized as one of the Worlds Most Admired Companies by Fortune; and listed in Forbes ranking of Americas Largest Public Companies. Headquartered in King of Prussia, PA, UHS has approximately 99,000 employees and continues to grow through its subsidiaries. Operating acute care hospitals, behavioral health facilities, outpatient facilities and ambulatory care access points, an insurance offering, a physician network and various related services located all over the U.S. States, Washington, D.C., Puerto Rico and the United Kingdom. www.uhs.com
The Corporate Information Services Department is seeking a dynamic and talented Information Security Analyst I-Application Security.
As a key member of our collaborative Cybersecurity team, the
Information Security Analyst I Application Security
will play a critical role in safeguarding UHS and affiliates information systems. In this role, you will be responsible for identifying, assessing, and mitigating security vulnerabilities in our applications, guiding secure development practices, and collaborating with development teams to embed security throughout the software development lifecycle (SDLC).Works with technical and non-technical staff to insure that deployed technologies are effectively and efficiently providing the intended controls consistent with established policies and procedures. Where appropriate, trains and supports technical staff in UHS affiliated locations to deploy, manage and support selected technologies. May oversee the technical aspects of tasks assigned to less experienced staff or contractors on projects, systems or applications assigned. Key Responsibilities include: Maintains selected information security technologies within guidelines of policies and in keeping with good project management principles. Monitors the resolution of maintenance or enhancement issues assigned by the UHS Customer Support Center. Perform in-depth security assessments of web, mobile, APIs, and cloud-based applications through code reviews, using tools such as SAST, DAST, IAST, SCA, manual techniques, and penetration testing. Periodically reviews deployed security technologies to ensure that the solutions continue to provide the intended protections efficiently and effectively. Work closely with DevOps and engineering teams to integrate security into CI/CD pipelines (DevSecOps). Identifies gaps in protection, and recommends solutions to remediate or mitigate the risks associated with the protection gaps. Document findings and assist in creating reports and metrics for technical and non-technical audiences. Assists more experienced members of the Information Security Team implement and support new information security technologies or processes. Works with staff at all levels in the organization, vendors and contractors to insure protections are effective, efficient and non-disruptive to the appropriate duties, rights and mission of the individuals and the organization(s) affected. Position Requirements: Bachelors degree in Computer Science, Cybersecurity, Information Technology, or related field; or equivalent practical experience. required. Minimum of 1-3 years experience in application security, vulnerability management, or penetration testing.1-3 years of relevant experience in Application Security (SAST, SCA, DAST, WAF, ASPM), or cybersecurity with background in secure code development (DevSecOps, SSDLC) preferred. Experience with security tools such as GitHub Advanced Security, Veracode, Snyk, or similar is a plus. Experience managing and supporting some or all of the following or similar information security technologies or processes: Anti-malware protections and analysis Web filtering and security Vulnerability scanning and management Encryption technologies for data at rest and data in transit Mobile device and removable media protection or management systems Authentication including various forms of SSO and MFA Cloud application security Security Information and Event Management (SIEM) systems Interpreting Common Vulnerabilities and Exposures (CVE ) data Device control Data Loss Prevention (DLP) Forensic analysis OWASP Top 10 OWASP MASVS (Mobile AppSec Verification Standard) Relevant Entry-Level Certifications (one or more required): OffSec Web Assessor (OSWA) Burp Suite Certified Practitioner (BSCP) TCM Security Practical Web Pentest Associate (PWPA) TCM Security Practical Web Pentest Professional (PWPP) TCM Security Practical Mobile Pentest Associate (PMPA) SANS GIAC Web Application Penetration Tester (GWAPT) SANS GIAC Web Application Defender (GWEB) SANS GIAC Mobile Device Security Analyst (GMOB) HTB Certified Bug Bounty Hunter (CBBH) renamed to Certified Web Exploitation Specialist (CWES) Relevant Advanced Certifications (one or more preferred): Offsec Web Expert (OSWE) HTB Certified Web Exploitation Expert (CWEE) TCM Security Practical Web Pentest Expert (PWPE) Bonus Broader Offensive Security Certifications: OffSec Certified Professional (OSCP) OffSec Experienced Penetration Tester (OSEP) TCM Security Practical Network Penetration Tester (PNPT) Hack the Box (HTB) Certified Penetration Testing Specialist (CPTS) Familiarity with risk assessment and risk management concepts or processes. Working knowledge of various regulatory security requirements particularly Sarbanes-Oxley (SOX), HIPAA, and HITECH. Working knowledge of common cyber security frameworks such as HITRUST, NIST, CSC20, or others. Familiarity with secure coding practices in Java, Python, PowerShell, JavaScript/TypeScript, Swift/Kotlin is a plus. Experience with mobile testing frameworks (MobSF, Drozer, Frida, Objection) is preferred. Experience with API testing methodologies and tools (Postman, Burp Pro extensions) is preferred. Experience with source control and CI/CD tools (GitHub, GitLab, Jenkins, Azure DevOps). Ability to prioritize multiple tasks and be detail oriented. Excellent communication, technical report writing, interpersonal and project management skills Significant relevant experience in addition to professional certifications and/or an Associates Degree (4 years) may be considered in lieu of the educational requirement. Travel Requirements:
Up to 5% - 10% US - to field locations may be necessary to complete assigned projects. This opportunity provides the following: Challenging and rewarding work environment Growth and development opportunities within UHS and its subsidiaries Competitive Compensation Excellent Medical, Dental, Vision and Prescription Drug Plan 401k plan with company match Generous Paid Time Off
Information Security Analyst I Application Security
will play a critical role in safeguarding UHS and affiliates information systems. In this role, you will be responsible for identifying, assessing, and mitigating security vulnerabilities in our applications, guiding secure development practices, and collaborating with development teams to embed security throughout the software development lifecycle (SDLC).Works with technical and non-technical staff to insure that deployed technologies are effectively and efficiently providing the intended controls consistent with established policies and procedures. Where appropriate, trains and supports technical staff in UHS affiliated locations to deploy, manage and support selected technologies. May oversee the technical aspects of tasks assigned to less experienced staff or contractors on projects, systems or applications assigned. Key Responsibilities include: Maintains selected information security technologies within guidelines of policies and in keeping with good project management principles. Monitors the resolution of maintenance or enhancement issues assigned by the UHS Customer Support Center. Perform in-depth security assessments of web, mobile, APIs, and cloud-based applications through code reviews, using tools such as SAST, DAST, IAST, SCA, manual techniques, and penetration testing. Periodically reviews deployed security technologies to ensure that the solutions continue to provide the intended protections efficiently and effectively. Work closely with DevOps and engineering teams to integrate security into CI/CD pipelines (DevSecOps). Identifies gaps in protection, and recommends solutions to remediate or mitigate the risks associated with the protection gaps. Document findings and assist in creating reports and metrics for technical and non-technical audiences. Assists more experienced members of the Information Security Team implement and support new information security technologies or processes. Works with staff at all levels in the organization, vendors and contractors to insure protections are effective, efficient and non-disruptive to the appropriate duties, rights and mission of the individuals and the organization(s) affected. Position Requirements: Bachelors degree in Computer Science, Cybersecurity, Information Technology, or related field; or equivalent practical experience. required. Minimum of 1-3 years experience in application security, vulnerability management, or penetration testing.1-3 years of relevant experience in Application Security (SAST, SCA, DAST, WAF, ASPM), or cybersecurity with background in secure code development (DevSecOps, SSDLC) preferred. Experience with security tools such as GitHub Advanced Security, Veracode, Snyk, or similar is a plus. Experience managing and supporting some or all of the following or similar information security technologies or processes: Anti-malware protections and analysis Web filtering and security Vulnerability scanning and management Encryption technologies for data at rest and data in transit Mobile device and removable media protection or management systems Authentication including various forms of SSO and MFA Cloud application security Security Information and Event Management (SIEM) systems Interpreting Common Vulnerabilities and Exposures (CVE ) data Device control Data Loss Prevention (DLP) Forensic analysis OWASP Top 10 OWASP MASVS (Mobile AppSec Verification Standard) Relevant Entry-Level Certifications (one or more required): OffSec Web Assessor (OSWA) Burp Suite Certified Practitioner (BSCP) TCM Security Practical Web Pentest Associate (PWPA) TCM Security Practical Web Pentest Professional (PWPP) TCM Security Practical Mobile Pentest Associate (PMPA) SANS GIAC Web Application Penetration Tester (GWAPT) SANS GIAC Web Application Defender (GWEB) SANS GIAC Mobile Device Security Analyst (GMOB) HTB Certified Bug Bounty Hunter (CBBH) renamed to Certified Web Exploitation Specialist (CWES) Relevant Advanced Certifications (one or more preferred): Offsec Web Expert (OSWE) HTB Certified Web Exploitation Expert (CWEE) TCM Security Practical Web Pentest Expert (PWPE) Bonus Broader Offensive Security Certifications: OffSec Certified Professional (OSCP) OffSec Experienced Penetration Tester (OSEP) TCM Security Practical Network Penetration Tester (PNPT) Hack the Box (HTB) Certified Penetration Testing Specialist (CPTS) Familiarity with risk assessment and risk management concepts or processes. Working knowledge of various regulatory security requirements particularly Sarbanes-Oxley (SOX), HIPAA, and HITECH. Working knowledge of common cyber security frameworks such as HITRUST, NIST, CSC20, or others. Familiarity with secure coding practices in Java, Python, PowerShell, JavaScript/TypeScript, Swift/Kotlin is a plus. Experience with mobile testing frameworks (MobSF, Drozer, Frida, Objection) is preferred. Experience with API testing methodologies and tools (Postman, Burp Pro extensions) is preferred. Experience with source control and CI/CD tools (GitHub, GitLab, Jenkins, Azure DevOps). Ability to prioritize multiple tasks and be detail oriented. Excellent communication, technical report writing, interpersonal and project management skills Significant relevant experience in addition to professional certifications and/or an Associates Degree (4 years) may be considered in lieu of the educational requirement. Travel Requirements:
Up to 5% - 10% US - to field locations may be necessary to complete assigned projects. This opportunity provides the following: Challenging and rewarding work environment Growth and development opportunities within UHS and its subsidiaries Competitive Compensation Excellent Medical, Dental, Vision and Prescription Drug Plan 401k plan with company match Generous Paid Time Off